Posted
by
msmash
on Saturday February 17, 2018 @06:00PM
from the oops dept.

Facebook has clarified the situation around SMS notifications sent using the company's two-factor authentication (2FA) system, admitting that the messages were indeed caused by a bug. From a report: In a blog post penned by Facebook Chief Security Officer Alex Stamos, the company says the error led it to "send non-security-related SMS notifications to these phone numbers." Facebook uses the automated number 362-65, or "FBOOK," as its two-factor authentication number, which is a secure way of confirming a user's identity by sending a numeric code to a secondary device like a mobile phone. That same number ended up sending users Facebook notifications without their consent. When users would attempt to get the SMS notifications to stop, the replies were posted to their own Facebook profiles as status updates.

Posted
by
BeauHDon Friday February 16, 2018 @08:25PM
from the not-what-it-appears dept.

An anonymous reader quotes an exclusive report from The Verge: In late July, Snap's director of engineering emailed the company's team in response to an unfolding privacy threat. A government official from Dorset in the United Kingdom had provided Snap with information about a recent attack on the company's users: a publicly available list, embedded in a phishing website named klkviral.org, that listed 55,851 Snapchat accounts, along with their usernames and passwords. The attack appeared to be connected to a previous incident that the company believed to have been coordinated from the Dominican Republic, according to emails obtained by The Verge. Not all of the account credentials were valid, and Snap had reset the majority of the accounts following the initial attack. But for some period of time, thousands of Snapchat account credentials were available on a public website. According to a person familiar with the matter, the attack relied on a link sent to users through a compromised account that, when clicked, opened a website designed to mimic the Snapchat login screen.

Posted
by
msmash
on Friday February 16, 2018 @02:21PM
from the no-mercy dept.

Last year, a vigilante hacker broke into the servers of a company that sells spyware to everyday consumers and wiped their servers, deleting photos captured from monitored devices. A year later, the hacker has done it again. Motherboard: Thursday, the hacker said he started wiping some cloud servers that belong to Retina-X Studios, a Florida-based company that sells spyware products targeted at parents and employers, but that are also used by people to spy on their partners without their consent. Retina-X was one of two companies that were breached last year in a series of hacks that exposed the fact that many otherwise ordinary people surreptitiously install spyware on their partners' and children's phones in order to spy on them. This software has been called "stalkerware" by some.

Posted
by
msmash
on Friday February 16, 2018 @12:20PM
from the karma dept.

Intel said on Friday shareholders and customers had filed 32 class action lawsuits against the company in connection with recently-disclosed security flaws in its microchips. From a report: Most of the lawsuits -- 30 -- are customer class action cases that claim that users were harmed by Intel's "actions and/or omissions" related to the flaws, which could allow hackers to steal data from computers. Intel said in a regulatory filing it was not able to estimate the potential losses that may arise out of the lawsuits. Security researchers at the start of January publicized two flaws, dubbed Spectre and Meltdown, that affected nearly every modern computing device containing chips from Intel, Advanced Micro Devices and ARM.

Posted
by
msmash
on Friday February 16, 2018 @09:42AM
from the security-woes dept.

Google's Project Zero team has published details of an unfixed bypass for an important exploit-mitigation technique in Edge. From a report: The mitigation, Arbitrary Code Guard (ACG), arrived in the Windows 10 Creators Update to help thwart web attacks that attempt to load malicious code into memory. The defense ensures that only properly signed code can be mapped into memory. However, as Microsoft explains, Just-in-Time (JIT) compilers used in modern web browsers create a problem for ACG. JIT compilers transform JavaScript into native code, some of which is unsigned and runs in a content process.

To ensure JIT compilers work with ACG enabled, Microsoft put Edge's JIT compiling in a separate process that runs in its own isolated sandbox. Microsoft said this move was "a non-trivial engineering task." "The JIT process is responsible for compiling JavaScript to native code and mapping it into the requesting content process. In this way, the content process itself is never allowed to directly map or modify its own JIT code pages," Microsoft says. Google's Project Zero found an issue is created by the way the JIT process writes executable data into the content process.

Posted
by
BeauHDon Thursday February 15, 2018 @07:03PM
from the ready-to-pounce dept.

An anonymous reader quotes a report from Wired: In the wake of Wednesday's Parkland, Florida school shooting, which resulted in 17 deaths, troll and bot-tracking sites reported an immediate uptick in related tweets from political propaganda bots and Russia-linked Twitter accounts. Hamilton 68, a website created by Alliance for Securing Democracy, tracks Twitter activity from accounts it has identified as linked to Russian influence campaigns. On RoBhat Labs' Botcheck.me, a website created by two Berkeley students to track 1500 political propaganda bots, all of the top two-word phrases used in the last 24 hours -- excluding President Trump's name -- are related to the tragedy: School shooting, gun control, high school, Florida school. The top hashtags from the last 24 hours include Parkland, guncontrol, and guncontrolnow.

While RoBhat Labs tracks general political bots, Hamilton 68 focuses specifically on those linked to the Russian government. According to the group's data, the top link shared by Russia-linked accounts in the last 48 hours is a 2014 Politifact article that looks critically at a statistic cited by pro-gun control group Everytown for Gun Safety. Twitter accounts tracked by the group have used the old link to try to debunk today's stats about the frequency of school shootings. Another top link shared by the network covers the "deranged" Instagram account of the shooter, showing images of him holding guns and knives, wearing army hats, and a screenshot of a Google search of the phrase "Allahu Akbar." Characterizing shooters as deranged lone wolves with potential terrorist connections is a popular strategy of pro-gun groups because of the implication that new gun laws could not have prevented their actions. Meanwhile, some accounts with large bot followings are already spreading misinformation about the shooter's ties to far-left group Antifa, even though the Associated Press reported that he was a member of a local white nationalist group. The Twitter account Education4Libs, which RoBhat Labs shows is one among the top accounts tweeted at by bots, is among the prominent disseminators of that idea.

Posted
by
BeauHDon Thursday February 15, 2018 @05:20PM
from the data-breach dept.

FedEx left scanned passports, drivers licenses, and other documentation belonging to thousands of its customers exposed on a publicly accessible Amazon S3 server, reports Gizmodo. "The scanned IDs originated from countries all over the world, including the United States, Mexico, Canada, Australia, Saudi Arabia, Japan, China, and several European countries. The IDs were attached to forms that included several pieces of personal information, including names, home addresses, phone numbers, and zip codes." From the report: The server, discovered by researchers at the Kromtech Security Center, was secured as of Tuesday. According to Kromtech, the server belonged to Bongo International LLC, a company that aided customers in performing shipping calculations and currency conversations, among other services. Bongo was purchased by FedEx in 2014 and renamed FedEx Cross-Border International a little over a year later. The service was discontinued in April 2017. According to Kromtech, more than 119,000 scanned documents were discovered on the server. As the documents were dated within the 2009-2012 range, its unclear if FedEx was aware of the server's existence when it purchased Bongo in 2014, the company said.

Posted
by
msmash
on Thursday February 15, 2018 @10:30AM
from the enough-is-enough dept.

Britain blamed Russia on Thursday for a cyber-attack last year, publicly pointing the finger at Moscow for spreading a virus which disrupted companies across Europe including UK-based Reckitt Benckiser. From a report: Russia denied the accusation, saying it was part of "Russophobic" campaign it said was being waged by some Western countries. The so-called NotPetya attack in June started in Ukraine where it crippled government and business computers before spreading around the world, halting operations at ports, factories and offices. Britain's foreign ministry said the attack originated from the Russian military. "The decision to publicly attribute this incident underlines the fact that the UK and its allies will not tolerate malicious cyber activity," the ministry said in a statement. "The attack masqueraded as a criminal enterprise but its purpose was principally to disrupt," it said.

Posted
by
BeauHDon Wednesday February 14, 2018 @07:20PM
from the dirty-tricks dept.

According to Mashable, Facebook account holder Gabriel Lewis tweeted that Facebook texted "spam" to the phone number he submitted for the purposes of 2-factor authentication. Lewis insists that he did not have mobile notifications turned on, and when he replied "stop" and "DO NOT TEXT ME," he says those messages showed up on his Facebook wall. From the report: Lewis explained his version of the story to Mashable via Twitter direct message. "[Recently] I decided to sign up for 2FA on all of my accounts including FaceBook, shortly afterwards they started sending me notifications from the same phone number. I never signed up for it and I don't even have the FB app on my phone." Lewis further explained that he can go "for months" without signing into Facebook, which suggests the possibility that Mark Zuckerberg's creation was feeling a little neglected and trying to get him back. According to Lewis, he signed up for 2FA on Dec. 17 and the alleged spamming began on Jan. 5. Importantly, Lewis isn't the only person who claims this happened to him. One Facebook user says he accidentally told "friends and family to go [to] hell" when he "replied to the spam."

Posted
by
msmash
on Wednesday February 14, 2018 @10:22AM
from the tussle-continues dept.

Cybersecurity firm Kaspersky Lab has filed a lawsuit targeting the second of two federal bans on its wares. The latest suit goes after language in a defense law explicitly blocking the purchase of Kaspersky products. An earlier suit targets a Homeland Security directive doing the same. From a report: The bigger picture: With the White House reluctant to institute additional sanctions on Russia, White House Cyber Czar Rob Joyce pointed to Kaspersky as an example of the Trump administration taking Russia seriously. While Kaspersky isn't alleged to be involved in the election hacks of 2016, it's hard not to see the actions against the firm in the context of deteriorated relations with Moscow, as part of a growing spat between the two countries.

Posted
by
BeauHDon Tuesday February 13, 2018 @08:50PM
from the crypto-mining dept.

According to Kaspersky Lab, hackers have been exploiting a vulnerability in Telegram's desktop client to mine cryptocurrencies such as Monero and ZCash. "Kaspersky said on its website that users were tricked into downloading malicious software onto their computers that used their processing power to mine currency, or serve as a backdoor for attackers to remotely control a machine," reports Bloomberg. From the report: While analyzing the servers of malicious actors, Kaspersky researchers also found archives containing a cache of Telegram data that had been stolen from victims. The Russian security firm said it "reported the vulnerability to Telegram and, at the time of publication, the zero-day flaw has not since been observed in messenger's products."

Posted
by
BeauHDon Tuesday February 13, 2018 @08:30PM
from the cease-and-desist dept.

schwit1 shares a report from Activist Post: Following years of resistance from citizens, the city of Seattle has decided to completely remove controversial surveillance equipment -- at a cost of $150,000. In November 2013, Seattle residents pushed back against the installation of several mesh network nodes attached to utility poles around the downtown area. The American Civil Liberties Union of Washington and privacy advocates were immediately concerned about the ability of the nodes to gather user information via the Wi-Fi connection. The Seattle Times reports on the latest developments: "Seattle's wireless mesh network, a node of controversy about police surveillance and the role of federal funding in city policing, is coming down. Megan Erb, spokeswoman for Seattle Information Technology, said the city has budgeted $150,000 for contractor Prime Electric and city employees to remove dozens of surveillance cameras and 158 'wireless access points' -- little, off-white boxes with antennae mounted on utility poles around the city."

The nodes were purchased by the Seattle Police Department via a $3.6 million grant from the Department of Homeland Security. The Seattle Police Department argued the network would be helpful for protecting the port and for first-responder communication during emergencies. As the Times notes, "the mesh network, according to the ACLU, news reports and anti-surveillance activists from Seattle Privacy Coalition, had the potential to track and log every wireless device that moved through its system: people attending protests, people getting cups of coffee, people going to a hotel in the middle of the workday." However, by November 2013, SPD spokesman Sean Whitcomb announced, "The wireless mesh network will be deactivated until city council approves a draft (privacy) policy and until there's an opportunity for vigorous public debate." The privacy policy for the network was never developed and, instead, the city has now opted to remove the devices at a cost of $150,000. The Times notes that, "crews are tearing its hardware down and repurposing the usable parts for other city agencies, including Seattle Department of Transportation traffic cameras."

Posted
by
msmash
on Tuesday February 13, 2018 @05:10PM
from the security-woes dept.

Paul Wagenseil, writing for Tom's Guide: For a monthly fee, identity-protection services promise to do whatever they can to make sure your private personal information doesn't fall into the hands of criminals. Yet many of these services -- including LifeLock, IDShield and Credit Sesame -- put personal information at risk, because they don't let customers use two-factor authentication (2FA). This simple security precaution is offered by many online services. Without 2FA, anyone who has your email address and password -- which might be obtained from a data breach or a phishing email -- could log in to the account for your identity-protection service and, depending on how the service protects them, possibly steal your bank-account, credit-card and Social Security numbers.

Posted
by
msmash
on Tuesday February 13, 2018 @04:30PM
from the creepier-by-the-day dept.

TechCrunch reports: Onavo Protect, the VPN client from the data-security app maker acquired by Facebook back in 2013, has now popped up in the Facebook app itself, under the banner "Protect" in the navigation menu. Clicking through on "Protect" will redirect Facebook users to the "Onavo Protect -- VPN Security" app's listing on the App Store. We're currently seeing this option on iOS only, which may indicate it's more of a test than a full rollout here in the U.S. Marketing Onavo within Facebook itself could lead to a boost in users for the VPN app, which promises to warn users of malicious websites and keep information secure as you browse. But Facebook didn't buy Onavo for its security protections. Instead, Onavo's VPN allow Facebook to monitor user activity across apps, giving Facebook a big advantage in terms of spotting new trends across the larger mobile ecosystem. For example, Facebook gets an early heads up about apps that are becoming breakout hits; it can tell which are seeing slowing user growth; it sees which apps' new features appear to be resonating with their users, and much more. Further reading: Do Not, I Repeat, Do Not Download Onavo, Facebook's Vampiric VPN Service (Gizmodo).

Posted
by
msmash
on Tuesday February 13, 2018 @01:10PM
from the bye-bye-blackbird dept.

A federal judge in San Francisco has unequivocally ruled against a non-practicing entity that had sued Cloudflare for patent infringement. From a report: The judicial order effectively ends the case that Blackbird -- which Cloudflare had dubbed a "patent troll" -- had brought against the well-known security firm and content delivery network. "Abstract ideas are not patentable," US District Judge Vincent Chhabria wrote in a Monday order. The case revolved around US Patent No. 6,453,335, which describes providing a "third party data channel" online. When the case was filed in May 2017, the invention claims it can incorporate third-party data into an existing Internet connection "in a convenient and flexible way."

Posted
by
msmash
on Tuesday February 13, 2018 @11:11AM
from the taking-a-stand dept.

Leaders of the U.S. Senate Intelligence Committee said on Tuesday they were concerned about what they described as China's efforts to gain access to sensitive U.S. technologies and intellectual property through Chinese companies with government ties. From a report: Senator Richard Burr, the committee's Republican chairman, cited concerns about the spread of foreign technologies in the United States, which he called "counterintelligence and information security risks that come prepackaged with the goods and services of certain overseas vendors. The focus of my concern today is China, and specifically Chinese telecoms (companies) like Huawei and ZTE that are widely understood to have extraordinary ties to the Chinese government," Burr said. Senator Mark Warner, the committee's Democratic vice chairman, said he had similar concerns. "I'm worried about the close relationship between the Chinese government and Chinese technology firms, particularly in the area of commercialization of our surveillance technology and efforts to shape telecommunications equipment markets," Warner said.

Posted
by
BeauHDon Monday February 12, 2018 @09:00PM
from the back-to-the-drawing-board dept.

ZDNet reports of a security flaw in Skype's updater process that "can allow an attacker to gain system-level privileges to a vulnerable computer." If the bug is exploited, it "can escalate a local unprivileged user to the full 'system' level rights -- granting them access to every corner of the operating system." What's worse is that Microsoft, which owns Skype, won't fix the flaw because it would require the updater to go through "a large code revision." Instead, Microsoft is putting all its resources on building an altogether new client. From the report: Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique, which allows an attacker to trick an application into drawing malicious code instead of the correct library. An attacker can download a malicious DLL into a user-accessible temporary folder and rename it to an existing DLL that can be modified by an unprivileged user, like UXTheme.dll. The bug works because the malicious DLL is found first when the app searches for the DLL it needs. Once installed, Skype uses its own built-in updater to keep the software up to date. When that updater runs, it uses another executable file to run the update, which is vulnerable to the hijacking. The attack reads on the clunky side, but Kanthak told ZDNet in an email that the attack could be easily weaponized. He explained, providing two command line examples, how a script or malware could remotely transfer a malicious DLL into that temporary folder.

Posted
by
msmash
on Monday February 12, 2018 @04:20PM
from the how-about-that dept.

A new study by IBM Security surveying 4,000 adults from a few different regions of the world found that consumers are now ranking security over convenience. For the first time ever, business users and consumers are now preferring security over convenience. From a report: TechRepublic spoke with executive security advisor at IBM Security Limor Kessem to discuss this new trend. "We always talk about the ease of use, and not impacting user experience, etc, but it turns out that when it comes to their financial accounts...people actually would go the extra mile and will use extra security," Kessem said. Whether it's using two factor authentication, an SMS message on top of their password, or any other additional step for extra protection, people still want to use it. Some 74% of respondents said that they would use extra security when it comes to those accounts, she said.

Posted
by
msmash
on Sunday February 11, 2018 @10:52PM
from the security-woes dept.

Pyeongchang Winter Olympics organizers confirmed on Sunday that the Games had fallen victim to a cyber attack during Friday's opening ceremony, but they refused to reveal the source. From a report: The Games' systems, including the internet and television services, were affected by the hack two days ago but organizers said it had not compromised any critical part of their operations. "Maintaining secure operations is our purpose," said International Olympic Committee (IOC) spokesman Mark Adams. "We are not going to comment on the issue. It is one we are dealing with. We are making sure our systems are secure and they are secure."

Posted
by
msmash
on Sunday February 11, 2018 @04:40PM
from the worse-than-imagined dept.

BBC reports: The Information Commissioner's Office (ICO) took down its website after a warning that hackers were taking control of visitors' computers to mine cryptocurrency. Security researcher Scott Helme said more than 4,000 websites, including many government ones, were affected. He said the affected code had now been disabled and visitors were no longer at risk. The ICO said: "We are aware of the issue and are working to resolve it." Mr Helme said he was alerted by a friend who had received a malware warning when he visited the ICO website. He traced the problem to a website plug-in called Browsealoud, used to help blind and partially sighted people access the web. The cryptocurrency involved was Monero -- a rival to Bitcoin that is designed to make transactions in it "untraceable" back to the senders and recipients involved. The plug-in had been tampered with to add a program, Coinhive, which "mines" for Monero by running processor-intensive calculations on visitors' computers.The Register: A list of 4,200-plus affected websites can be found here: they include The City University of New York (cuny.edu), Uncle Sam's court information portal (uscourts.gov), Lund University (lu.se), the UK's Student Loans Company (slc.co.uk), privacy watchdog The Information Commissioner's Office (ico.org.uk) and the Financial Ombudsman Service (financial-ombudsman.org.uk), plus a shedload of other .gov.uk and .gov.au sites, UK NHS services, and other organizations across the globe.